You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: SECURITY.md
+4Lines changed: 4 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -6,6 +6,8 @@ The open source plotly.js library is provided "AS IS", with no security guarante
6
6
In the 1.x releases of plotly.js, we attempt to protect against XSS attacks (and similar issues) resulting from
7
7
untrusted data being graphed by plotly.js. However, XSS or other issues may still exist.
8
8
9
+
Note that the typical use case for plotly.js is for visualizing data from trusted sources. For example if you use plotly.js to add a dashboard to your site and you control all the input data that's sent to plotly.js, you are not dependent on plotly.js for XSS protection.
10
+
9
11
If you require a higher degree of assurance, please consider purchasing our
10
12
[Plotly On-Premise](https://plot.ly/product/enterprise/) product, or [contact the Plotly sales team](mailto:sales@plot.ly)
11
13
for more options.
@@ -25,6 +27,8 @@ plotly.js security fixes are normally released as "patch" releases on top of the
25
27
26
28
Security fixes are also backported to older versions of plotly.js as required by paying Plotly On-Premise or Plotly Cloud customers. These fixes are released as "patch" releases, and are made available to the community once affected customers have upgraded. We also accept backports to older versions contributed by community members.
27
29
30
+
Since the typical plotly.js use case involves trusted data, we do not remove old, potentially vulnerable versions from our GitHub repo or from our CDN.
31
+
28
32
## Advisories
29
33
30
34
All plotly.js security advisories released after August 1, 2016 are available at the [Plotly Security Advisories](http://help.plot.ly/security-advisories/) page.
0 commit comments